• SHIPP, A. 

Appl. No. 10/500,954 

Response to Office Action dated October 30, 2008 
AMENDMENTS TO THE CLAIMS 

This listing of claims will replace all prior versions, and listings, of claims in the 
application: 

Listing of Claims 

Claim 1 (Currently Amended): An anti-malware file scanning comput e r system 
for computer files being transferred between computers, the system being implemented 
on a computer apparatus and comprising: 

a) a computer database containing records of known executable programs 
which are deemed to be not malware and criteria by which a file being processed can be 
determined to be an instance of one of those programs, the criteria including at least one 
characteristic signature associated with each said instance; 

b) means for processing a file being transferred between computers, the means 
b) comprising: 

a file recogniser operative to determine whether the file being processed is an 
instance of a known program by checking the contents of the file being processed for the 
presence of said at least one characteristic signature associated with the said instances; 
and 

a difference checker operative, in the case that the file recogniser determines the 
file being processed to be an instance of a known program, to check whether the file is an 
unchanged version of that known program; and 

c) means for signalling the file, depending on the determination made by the 
processing means, as being: 

likely to be not malware if it is an unchanged version of a known file; 

likely to be malware if it is a changed version of a known file; or 

of unknown status if it is not determined as being an instance of a known file. 
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Claim 2 (Currently Amended): A comput e r system according to claim 1 and 
including: 

d) means for processing a file being transferred between computers to 
determine whether it is considered to be, or considered possibly to be, malware, and 
wherein the means d) is operative to subject a file to processing if the file is signaled by 
the signalling means c) as being of unknown status. 

Claims 3 and 4 (Canceled). 

Claim 5 (Currently Amended): A comput e r system according to claim 1 
wherein the difference checker is operative to generate a checksum for the entire file 
under consideration or for at least one selected region thereof, and to compare the 
checksum or checksums with those of entries in the database. 

Claim 6 (Currently Amended): A computer system according to claim 1 and 
including an exception list handler operative to determine, in relation to a file which the 
processing means b) has determined is a changed version of a known file, whether that 
file has characteristics matching an entry in an exception list of files, the signalling means 
c) being operative to signal the file as malware only if it is not in the exception list or as 
being of unknown status otherwise. 

Claim 7 (Currently Amended): A method of anti-malware scanning computer 
files being transferred between computers, the method comprising: 

maintaining a computer database containing records of known executable 
programs which are deemed to be uninfected and criteria by which a file being processed 
can be determined to be an instance of one of those programs, the criteria including at 
least one characteristic signature associated with each said instance; 
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processing a file being transferred between computers by 

determining whether the file being processed is an instance of a known program 
by checking the contents of the file being processed for the presence of said at least one 
characteristic signature associated with the said instances, and 

checking, in the case that the file is determined to be an instance of a known 
program, whether the file is an unchanged version of that known program; 

signalling the file, depending on the determination made by the processing means , 
as being: 

likely to be not malware if it is an unchanged version of a known file; 
likely to be malware if it is a changed version of a known file; or 
of unknown status if it is not determined as being an instance of a known file; and 
storing the determination that the file is likely to be not malware, is likely to be 
malware or is of unknown status. 

Claim 8 (Previously Presented): A method according to claim 7 and including: 
processing a file being transferred between computers to determine whether it is 

considered to be, or considered possibly to be, malware, if the file is signalled by the 

signalling step c) as being of unknown status. 

Claims 9 and 10 (Canceled). 

Claim 1 1 (Previously Presented): A method according to claim 7 wherein the step 
of checking whether the file being processed is an instance of a known program 
comprises generating a checksum for the entire file under consideration or for at least one 
selected region thereof, and comparing the checksum or checksums with those of entries 
in the database. 
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Claim 12 (Previously Presented): A method according to claim 7 further 
including using an exception list to determine, in relation to a file which the processing 
step b) has determined is a changed version of a known file, whether that file has 
characteristics matching an entry in an exception list of files, and wherein, in the 
signalling step c), the file is signalled as malware if it is not in the exception list or as 
being of unknown status otherwise. 

Claim 13 (Previously Presented): An anti-malware file scanning system for 
computer files being transferred between computers, the system comprising: 

a computer database containing records of known executable programs which are 
deemed to be not malware and criteria by which a file being processed can be determined 
to be an instance of one of those programs, the criteria including at least one 
characteristic signature associated with each said instance; 

a processor for processing a file being transferred between computers, the 
processor being operative to determine whether the file being processed is an instance of 
a known program by checking the contents of the file being processed for the presence of 
said at least one characteristic signature associated with the said instances and, in the case 
that the file being processed is determined to be an instance of a known program, to 
check whether the file is an unchanged version of that known program, 

said processor, depending on the determination, identifying the file being 
processed as (i) likely to be not malware if it is an unchanged version of a known file; (ii) 
likely to be malware if it is a changed version of a known file; or (iii) of unknown status 
if it is not determined as being an instance of a known file. 

Claim 14 (Previously Presented): An anti-malware file scanning system according 
to claim 13, further comprising: 

a file-scanning subsystem for scanning files identified by the processor as being of 
unknown status to determine whether the scanned files are malware. 
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Claim 15 (Previously Presented): An anti-malware file scanning system according 
to claim 14, wherein records for files which are instances of programs determined by the 
file-scanning system not to be malware are added to the computer database. 

Claim 16 (Previously Presented): An anti-malware file scanning system according 
to claim 13, wherein the processor assigns a score to a file identified as likely to be 
malware. 
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